Closed cudgel closed 3 weeks ago
Thank you very much for this massive PR. Give me a little bit of time to review it.
I have another one to follow that adds vulnerable LAMP stack with optional ALB and Splunk Edge Processor with optional NLB but I thought I would break it into smaller pieces. ;)
this code is already part of this PR. I need to spend some time on the code that as most features as possible also works for Azure and local. in the future it is a lot easier to review and merge when it is small PRs like one for Cisco AMP, one for configurable ip adresses and so on.
I will create new branches and PRs for every feature which you developed and test them. I can't promise that we can merge everything but I will do my best.
LOL, it shows I need more practice at pull requests. I had to re-add all of my changes at once because the develop branch was significantly refactored right as I published by branch in my fork. So I re-synced develop and tried to merge a subset of the changes into develop. With mixed results it seems. Well, I have now fully merged my branch into the develop branch in my fork. Let me explain my use case.
Deploying in a test AWS LZA environment with no default VPC. Multiple AZs so I had to be able to specify subnets that were in AZs that had required instance types. I am using a hybrid byo-Splunk environment - the Splunk server forwards to Splunk Cloud as does the Firehose, but you could configure a HEC endpoint on the Attack Range Splunk instance.
At the same time, I wanted to be able to test additional endpoint products side by side in the environment. Here is the working yaml I am using in my development environment:
general:
cloud_provider: aws
name_prefix: "ar"
attack_range_name: "csm"
attack_range_password: XXXXXXXXXXXXXXXXXXX
key_name: XXXXXXXXXX
ip_whitelist: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
use_elastic_ips: "0"
cisco_amp_ubuntu_agent: XXXXXXXXXXXXXXXXXX_ubuntu-20-04-amd64.deb
cisco_amp_windows_agent: XXXXXXXXXXXXXXXXXX.exe
cortex_xdr_windows_agent: XXXXXXXXXXXX_x64.msi
cortex_xdr_ubuntu_agent: XXXXXXXXXXXX.deb
nessus_agent: "1"
nessus_agent_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
nessus_ubuntu_agent: XXXXXXXXXXXXXXXX_amd64.deb
dns_zone: "attackrange.local"
domain: "www.attackrange.local"
aws:
private_key_path: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
region: us-east-1
use_elastic_ips: "0"
use_remote_state: "1"
tf_remote_state_s3_bucket: "XXXXXXXXXXXXXXXXXXXXXX"
tf_remote_state_dynamo_db_table: "XXXXXXXXXXXXXXXXXXXXXX"
vpc_id: "vpc-XXXXXXXXXXXXXXXXX"
public_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
alt_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
private_subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
network_prefix: "10.0.76"
network_cidr: "10.0.76.160/27"
first_dynamic_ip: "185"
bastion_host_ip: 10.0.76.178
windows_servers:
- hostname: ar-win-dc
create_domain: "1"
install_red_team_tools: "1"
install_cortex_xdr: "1"
bad_blood: "1"
- hostname: ar-win-1
join_domain: "1"
install_red_team_tools: "1"
install_cortex_xdr: "1"
- hostname: ar-win-2
join_domain: "1"
install_red_team_tools: "1"
install_cisco_amp: "1"
linux_servers:
- hostname: ar-linux-1
install_red_team_tools: "1"
install_cortex_xdr: "1"
- hostname: ar-linux-2
install_red_team_tools: "1"
install_cisco_amp: "1"
kali_server:
kali_server: "1"
kali_server_ip: "10.0.76.183"
zeek_server:
zeek_server: "1"
zeek_server_ip: "10.0.76.182"
snort_server:
snort_server: "1"
snort_server_ip: "10.0.76.184"
splunk_server:
splunk_server: "1"
splunk_server_ip: "10.0.76.181"
s3_bucket_url: "XXXXXXXXXXXXXXXXXXX"
s3_bucket_prefix: "attack_range"
splunk_apps:
- ar_forwarder.tgz
- DA-ESS-ContentUpdate-latest.tar.gz
- TA-aurora-0.2.0.tar.gz
- TA-osquery.tar.gz
- app-for-circleci_011.tgz
- phantom-app-for-splunk_4035.tgz
- palo-alto-networks-add-on-for-splunk_813.tgz
- punchcard-custom-visualization_150.tgz
- python-for-scientific-computing-for-linux-64-bit_420.tgz
- snort-alert-for-splunk_111.tgz
- splunk-add-on-for-amazon-web-services-aws_760.tgz
- splunk-add-on-for-carbon-black_210.tgz
- splunk-add-on-for-crowdstrike-fdr_200.tgz
- splunk-add-on-for-github_300.tgz
- splunk-add-on-for-google-workspace_281.tgz
- splunk-add-on-for-amazon-kinesis-firehose_131r7d1d093.tgz
- splunk-add-on-for-microsoft-cloud-services_530.tgz
- splunk-add-on-for-microsoft-office-365_451.tgz
- splunk-add-on-for-microsoft-windows_880.tgz
- splunk-add-on-for-nginx_322.tgz
- splunk-add-on-for-sysmon-for-linux_100.tgz
- splunk-add-on-for-sysmon_400.tgz
- splunk-add-on-for-unix-and-linux_910.tgz
- splunk-app-for-stream_813.tgz
- splunk-common-information-model-cim_532.tgz
- splunk-es-content-update_4390.tgz
- splunk-machine-learning-toolkit_541.tgz
- splunk-sankey-diagram-custom-visualization_160.tgz
- splunk-security-essentials_380.tgz
- splunk-timeline-custom-visualization_162.tgz
- splunk_attack_range_reporting-1.0.9.tar.gz
- status-indicator-custom-visualization_150.tgz
- ta-for-zeek_108.tgz
- vmware-carbon-black-cloud_115.tgz
# List of Splunk Apps to install on the Splunk Server
edge_processor:
edge_processor: "1"
use_nlb: "1"
splunk_edge_url: "https://beam.scs.splunk.com/splunk-edge/XXXXXXXXXXXXXXXXXXX/linux/splunk-edge.tar.gz"
splunk_edge_tenant: "XXXXXXXXXXX"
splunk_edge_env: "production"
splunk_edge_gid: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
splunk_edge_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
httpd_server:
httpd_server: "1"
use_alb: "1"
install_lamp: "1"
install_modsec: "1"
install_dvwa: "1"
install_mutillidae: "1"
install_sqli: "1"
waf:
waf: "1"
splunk_hec_endpoint: "https://http-inputs-firehose-XXXXXXXXX.splunkcloud.com:443"
splunk_hec_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Thank you very much. I already started a new branch which integrates Cisco AMP / Cisco Secure Endpoint with your changes. I also want to add that the logging is forwarded to Splunk. I will let you know when it is done.
I started to merged in the first PR with contribution from you with Cisco Secure Endpoint. I added you to the contributors. Thank you.
move all IPs to config, add ability to install apps from a private s3 bucket, add support for installing Tenable Nessus Agent, Palo Alto Cortex XDR, and Cisco Secure Endpoint. Remove deprecated language. Fix Ansible templates where variable interpolation was failing due to wrong quotes.